Hannaford breach offers twists from prior attacks

CLARKE CANFIELD and BRIAN BERGSTEINThe Associated Press

Published Friday, March 21, 2008

PORTLAND, Maine -- At first, it sounded like another in a long line of credit card breaches: Up to 4.2 million account numbers were stolen by thieves who cracked computers at Hannaford Bros. Co., an Eastern supermarket chain.

But the specifics of the crime, revealed this week, included some troubling twists that might expose big holes in the payment industry's security standards.

For one thing, Hannaford said this sensitive data were exposed when shoppers swiped their cards at checkout line machines and the information was transmitted to banks for approval.

While thieves have commonly pilfered payment card data sitting in databases maintained by merchants or card processors, the Hannaford episode appears to represent a new line of attack: the first large-scale piracy of card data while the information was in transit.

"Catching data on the move is a bit more challenging," said Aaron Bills, chief operating officer at 3Delta Systems Inc., a transaction processing firm in Chantilly, Va. He compared it to robbing a truckload of merchandise: It's easier when the vehicle is parked than when it's zooming down a highway.

Another intriguing facet is that Hannaford was found while the hack was still going on last month to be in compliance with the security standards required by the Payment Card Industry, a coalition founded by credit card companies.

The PCI group sets rules governing such issues as how employees should be screened and precautions against hackers, but it does not audit companies like Hannaford to ensure compliance. That is performed by outside assessors. The identity of Hannaford's auditor was not disclosed.

The fact that Hannaford could be considered up to snuff and yet still be vulnerable to a big heist raised questions about whether other merchants and by extension, their customers are falsely confident about their security. Already the PCI standards have been tightened in recent years, after such massive data breaches as the one in 2005 at CardSystems Solutions Inc., a payment processor.

David Navetta, president of InfoSecCompliance LLC, a Denver law firm that concentrates on computer security and regulatory compliance, argues that Hannaford and its assessor may have been tripped up by ambiguity in the PCI standards about when companies must encrypt payment data to cloak it from outsiders.

In particular, the standards require companies to encrypt data that travels over computer networks "that are easy and common for a hacker to intercept." Whether certain internal networks are "easy and common" to crack is a matter of judgment, so Navetta believes Hannaford may have erroneously felt safe leaving data unencrypted in a spot that turned out to be vulnerable.

Hannaford would not discuss specifics of its security system, so it was unclear to what extent its stores encrypted payment data throughout the transmission process.

Wider use of encryption might seem an obvious answer. Because it's so difficult to detect when information is being stolen while in transit, companies "need to wake up to the fact that they need to encrypt information along every step," said Richard Gorman, CEO of Vormetric Corp., a data security firm in Santa Clara, Calif.

But in practice, encryption often goes unused at certain points in a data-processing chain because the computing power it requires can slow down transactions, especially on older hardware.

"Would you like to sit at your gas pump for five minutes to get an authorization?" said Avivah Litan, a security analyst at Gartner Inc.

Litan believes that the PCI standards are strong and clear enough, but that Hannaford's assessor failed to properly test where the stores' network was open to intrusion. Or it might have overlooked the threat from insiders such as contractors with access to key systems. Likely, she said, the auditors placed "too much focus on data at rest and not enough on who can see data in transit."

Litan argues that the biggest lesson is that the banking industry needs to make it harder for thieves to put stolen credit card data to use. Requiring PINs on credit card transactions, she said, "would remove 75 to 90 percent of the fraud in the system."

The attack on Hannaford stores in the Northeast and its affiliated Sweetbay outlets in Florida revealed 4.2 million card numbers between Dec. 7 and March 10. Apparently about 1,800 cards have been used fraudulently. The U.S. Secret Service is investigating.

In the biggest such data theft, thieves busted the central database of TJX Cos., parent of the T.J. Maxx and Marshalls retail chains. The thieves took information tied to at least 45 million credit and debit cards, and are believed to have gotten the information that gave them undetected access to TJX's database by intercepting wireless signals in two Marshalls stores.

Hannaford doesn't store credit card information in its databases and uses a wired network to transfer information, said spokeswoman Carol Eleazer. Hannaford is still trying to figure out, she said, how its thefts occurred.